CN110691074B - IPv6 data encryption method and IPv6 data decryption method - Google Patents

IPv6 data encryption method and IPv6 data decryption method Download PDF

Info

Publication number
CN110691074B
CN110691074B CN201910893716.1A CN201910893716A CN110691074B CN 110691074 B CN110691074 B CN 110691074B CN 201910893716 A CN201910893716 A CN 201910893716A CN 110691074 B CN110691074 B CN 110691074B
Authority
CN
China
Prior art keywords
encryption
network data
data frame
decryption
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910893716.1A
Other languages
Chinese (zh)
Other versions
CN110691074A (en
Inventor
白建
马星星
齐振华
范琳琳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xi'an Riscv Electronic Technology Co ltd
Original Assignee
Xi'an Riscv Electronic Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xi'an Riscv Electronic Technology Co ltd filed Critical Xi'an Riscv Electronic Technology Co ltd
Priority to CN201910893716.1A priority Critical patent/CN110691074B/en
Publication of CN110691074A publication Critical patent/CN110691074A/en
Application granted granted Critical
Publication of CN110691074B publication Critical patent/CN110691074B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Abstract

The invention discloses an IPv6 data encryption method and an IPv6 data decryption method, wherein the IPv6 data encryption method is applied to a first network device and an encryption device which are connected with each other, and the encryption device executes the IPv6 data encryption method and comprises the following steps: receiving a first network data frame; acquiring a first payload from a first network data frame, acquiring an encryption identifier according to a first preset rule, wherein the encryption identifier is a first identifier, encrypting the first payload to acquire ciphertext data, and the encryption identifier is a second identifier, and performing first preset processing on the first network data frame according to a first configuration parameter; and sending a second network data frame, wherein the second network data frame comprises ciphertext data. The IPv6 data encryption method provided by the invention encrypts the payload without changing the frame header structure of the network data frame, the encrypted network data frame has a completely consistent structure with the network data frame before encryption, the encrypted network data frame or the network data frame before encryption cannot be distinguished from the outside, and the network security is strong.

Description

IPv6 data encryption method and IPv6 data decryption method
Technical Field
The invention belongs to the technical field of communication, and particularly relates to an IPv6 data encryption method and an IPv6 data decryption method.
Background
With the development of networks, daily work offices cannot leave the networks, and more data information needs to be transmitted through the networks. The public network has larger potential safety hazard for transmitting data, and the private network has higher cost. VPNs rely on the operator to provide services and are expensive. Public network and intranet switch more troublesome, and the switching back and forth not only influences work efficiency, and data security also is difficult to guarantee.
At present, the network is mainly based on IPv4, but as IPv4 resources are about to be exhausted, the next generation Internet of things solution IPv6 is mature, and operators and various large websites support and perfect IPvC 6. The IPv6 will soon enter various network application environments in life and gradually realize 'IPv 6 Only'.
However, the data encryption or decryption method based on IPv6 is not yet widespread, and it is urgently needed to design a data encryption method based on IPv6, and most of the conventional data encryption is to encrypt the entire network data frame, and by using the encryption method to encrypt the entire network data frame, all data of the network data frame is encrypted, so that the encrypted network data frame may not be transmitted normally.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides an IPv6 data encryption method and an IPv6 data decryption method.
The embodiment of the invention provides an IPv6 data encryption method, which is applied to a first network device and an encryption device which are connected with each other, wherein the encryption device comprises the following steps when executing the IPv6 data encryption method:
receiving a first network data frame, the first network data frame being transmitted by the first network device;
acquiring a first payload from the first network data frame, acquiring an encryption identifier according to a first preset rule, judging the state of the encryption identifier, if the encryption identifier is a first identifier, encrypting the first payload to obtain ciphertext data, and if the encryption identifier is a second identifier, performing first preset processing on the first network data frame according to a first configuration parameter.
And sending a second network data frame, wherein the second network data frame comprises the ciphertext data.
In an embodiment of the present invention, determining the encrypted identifier of the first payload according to a first preset rule includes:
and judging whether the quintuple of the first network data frame is matched with a preset quintuple list of the encryption device, if the first quintuple matched with the quintuple of the first network data frame exists in the preset quintuple list of the encryption device, setting the encryption identifier as the first identifier, and if the first quintuple matched with the quintuple of the first network data frame does not exist in the preset quintuple list of the encryption device, setting the encryption identifier as the second identifier.
In an embodiment of the present invention, after the setting of the encrypted identifier as the first identifier, the method further includes:
judging whether the flow label of the first network data frame is matched with a preset flow label list of the encryption device, if a first flow label matched with the flow label of the first network data frame exists in the preset flow label list of the encryption device, setting the encryption identifier as the first identifier, and if the first flow label matched with the flow label of the first network data frame does not exist in the preset flow label list of the encryption device, modifying and setting the encryption identifier as the second identifier.
In an embodiment of the present invention, encrypting the first payload to obtain ciphertext data includes:
acquiring a first quintuple matched with the quintuple of the first network data frame in a preset quintuple list of the encryption equipment;
acquiring a first flow label matched with the flow label of the first network data frame in a preset flow label list of the encryption equipment;
obtaining an encryption mode according to the first quintuple and the first flow label;
obtaining an encryption key according to the first quintuple and the first flow label;
and encrypting the first payload according to the encryption mode and the encryption key to obtain ciphertext data.
In an embodiment of the present invention, the method further includes determining whether to configure or open a first MAC management, and if not, performing any one of the IPv6 data encryption methods described above, and if configured and open the first MAC management, processing the first network data frame according to a second preset rule.
Another embodiment of the present invention provides an IPv6 data decryption method, which is applied to a decryption device and a second network device that are connected to each other, where the decryption device executes the IPv6 data decryption method, and includes the following steps:
receiving a third network data frame;
and acquiring a second payload from the third network data frame, acquiring a decryption identifier according to a third preset rule, judging the state of the decryption identifier, decrypting the second payload to obtain plaintext data if the decryption identifier is a third identifier, and performing second preset processing on the third network data frame according to a second configuration parameter if the decryption identifier is a fourth identifier.
Sending a fourth network data frame to the second network device, the fourth network data frame including the plaintext data.
In an embodiment of the present invention, the determining, according to a third preset rule, a decryption identifier of the second payload includes:
and judging whether the quintuple of the third network data frame is matched with a preset quintuple list of the decryption device, if a second quintuple matched with the quintuple of the third network data frame exists in the preset quintuple list of the decryption device, setting the decryption identifier as the third identifier, and if the second quintuple matched with the quintuple of the third network data frame does not exist in the preset quintuple list of the decryption device, setting the decryption identifier as the fourth identifier.
In an embodiment of the present invention, after the setting of the decryption identifier as the third identifier, the method further includes:
and judging whether the flow label of the third network data frame is matched with a preset flow label list of the decryption device, if a second flow label matched with the flow label of the third network data frame exists in the preset flow label list of the decryption device, keeping the decryption identifier set as the third identifier, and if a second flow label matched with the flow label of the third network data frame does not exist in the preset flow label list of the decryption device, modifying the decryption identifier to be set as the second identifier.
In an embodiment of the present invention, decrypting the second payload to obtain plaintext data includes:
acquiring a second quintuple matched with the quintuple of the third network data frame in a preset quintuple list of the decryption device;
acquiring a second flow label matched with the flow label of the third network data frame in a preset flow label list of the decryption device;
obtaining a decryption mode according to the second quintuple and the second flow label;
obtaining a decryption key according to the second quintuple and the second flow label;
and decrypting the second payload according to the decryption mode and the decryption key to obtain plaintext data.
In an embodiment of the present invention, the method further includes determining whether to configure or open a second MAC management, and if not, performing any one of the IPv6 data decryption methods described above, and if configured and open the second MAC management, processing the third network data frame according to a fourth preset rule.
Compared with the prior art, the invention has the beneficial effects that:
the IPv6 data encryption method provided by the invention has the advantages that the effective load is encrypted without changing the frame head structure of the network data frame and influencing the network performance, the structure of the encrypted network data frame is completely consistent with that of the network data frame before encryption, the encrypted network data frame or the network data frame before encryption cannot be distinguished from the outside, the attack is not easy to happen, and the network security is stronger.
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Drawings
Fig. 1 is a schematic flowchart of an IPv6 data encryption method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a connection relationship between a first network device and an encryption device in an IPv6 data encryption method according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating an IPv6 data decryption method according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating a connection relationship between a decryption device and a second network device in an IPv6 data decryption method according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating a connection relationship between network devices in an IPv6 data encryption method and a data decryption method according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a connection relationship between network devices in another IPv6 data encryption method and data decryption method according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to specific examples, but the embodiments of the present invention are not limited thereto.
Example one
Referring to fig. 1, fig. 1 is a flowchart illustrating an IPv6 data encryption method according to an embodiment of the present invention. The embodiment of the invention provides an IPv6 data encryption method, which is applied to a first network device and an encryption device which are connected with each other, wherein the encryption device comprises the following steps when executing the IPv6 data encryption method:
step 1, receiving a first network data frame, wherein the first network data frame is sent by first network equipment;
step 2, acquiring a first payload from the first network data frame, acquiring an encryption identifier according to a first preset rule, judging the state of the encryption identifier, if the encryption identifier is a first identifier, encrypting the first payload to obtain ciphertext data, and if the encryption identifier is a second identifier, performing first preset processing on the first network data frame according to a first configuration parameter;
and 3, sending a second network data frame, wherein the second network data frame comprises ciphertext data.
Particularly, at present, the security exists when secret data is transmitted on a public network, software encryption cannot realize encryption of all network data, and uniform management is inconvenient, and as IPv4 resources are about to be exhausted, a next generation internet of things solution IPv6 matures, and a data encryption and decryption method based on IPv6 is urgently needed. Based on the above problem, this embodiment provides an IPv6 data decryption method, please refer to fig. 2, where fig. 2 is a schematic diagram of a connection relationship between a first network device and an encryption device in an IPv6 data encryption method provided by an embodiment of the present invention, where in this embodiment, the first network device sends a first network data frame to the encryption device, the encryption device obtains a first payload from the first network data frame, then obtains an encryption identifier for whether the first payload is encrypted according to a first preset rule, encrypts the first payload under the first identifier to obtain ciphertext data, encrypts the first payload specifically, repackages a header of the first network data frame and the first payload in the first network data frame to form a second network data frame, where the second network data frame includes the ciphertext data, and performs first preset processing on the first network data frame according to a first configuration parameter under the second identifier, the first configuration parameter is configured on the encryption equipment according to actual network requirements, and the encryption equipment sends the second network data frame to the subsequent network equipment. The first preset processing comprises transparent transmission, discarding or other processing, the first preset processing is preferably transparent transmission, and the transparent transmission is selected to realize plaintext communication with any network without affecting access to public network data.
Most of traditional data encryption is to encrypt the whole network data frame, and the encryption method is adopted to encrypt the whole network data frame, so that all data of the network data frame can be encrypted, and the encrypted network data frame can not be normally transmitted. In the embodiment, the effective load is encrypted without changing the frame head structure of the network data frame or affecting the network performance, the structure of the encrypted network data frame is completely consistent with that of the network data frame before encryption, the encrypted network data frame or the network data frame before encryption cannot be distinguished from the outside, the attack is not easy to happen, and the network security is stronger.
Further, in this embodiment, in step 1, the encryption device receives a first network data frame, and the first network data frame is sent by the first network device.
Specifically, referring to fig. 2, in this embodiment, the first network device sends the first network data frame to the encryption device through the portal a. The first network data frame includes application layer data of the first network device, and an ethernet ii header, an IPv6 header, a TCP header, or a UDP header sequentially added to the application layer data, specifically:
the frame structure of the ethernet ii header added in this embodiment is shown in table 1, and specifically includes:
TABLE 1 frame structure of Ethernet II header
Figure BDA0002209578240000071
The frame structure of the IPv6 header added in this embodiment is shown in table 2, and specifically includes:
table 3 frame structure of IPv6 header
Figure BDA0002209578240000072
The frame structure of the TCP header added in this embodiment is shown in table 3, and specifically includes:
table 3 frame structure of TCP header
Figure BDA0002209578240000081
The frame structure of the UDP header added in this embodiment is shown in table 4, and specifically includes:
table 4 frame structure of UDP header
Figure BDA0002209578240000082
As shown in table 5, the first network data frame in this embodiment is constructed and obtained according to the ethernet ii header obtained in table 1, the IPv6 header obtained in table 2, the TCP header obtained in table 3, and the application layer data obtained through portal a learning, or as shown in table 5, the first network data frame in this embodiment is constructed and obtained according to the ethernet ii header obtained in table 1, the IPv6 header obtained in table 2, and the UDP header obtained in table 4, and specifically:
table 5 structure of first network data frame
Ethernet II header IPv6 header TCP header or UDP header Application layer data
Further, in this embodiment, step 2 obtains the first payload from the first network data frame, obtains the encrypted identifier according to the first preset rule, and processes the first payload according to the state of the encrypted identifier.
Specifically, in this embodiment, instead of encrypting the entire first network data frame, the first payload of the first network data frame is obtained, an encryption identifier of whether to perform encryption processing on the first payload is obtained according to a first preset rule, and the first payload is processed through the encryption identifier, where the specific step 2 includes step 2.1, step 2.2, and step 2.3:
and 2.1, obtaining an encryption identifier according to a first preset rule.
Specifically, the first preset rule of this embodiment includes determining whether a quintuple of the first network data frame matches a preset quintuple list of the encryption device, setting the encryption identifier as the first identifier if a first quintuple matching the quintuple of the first network data frame exists in the preset quintuple list of the encryption device, and setting the encryption identifier as the second identifier if the first quintuple matching the quintuple of the first network data frame does not exist in the preset quintuple list of the encryption device. The encryption equipment is pre-configured with a preset quintuple list, the preset quintuple list comprises quintuples corresponding to all network data frames needing to be encrypted in the network, and each quintuple is marked as a first quintuple. After receiving the first network data frame, the encryption device judges whether a first quintuple matched with a quintuple of the first network data frame exists in a preset quintuple list of the encryption device, if so, the encryption identifier is set as the first identifier, and if not, the encryption identifier is set as the second identifier. In this embodiment, each of the quintuple in the first network data frame and the preset quintuple list of the encryption device includes a source IPv6 address, a source port, a destination IPv6 address, a destination port, and a transport layer protocol. The source IPv6 address and the destination IPv6 address in each first quintuple in a preset quintuple list on the encryption equipment both support IPv6 address wildcards, the IPv6 address can be any accurate IPv6 address and any IPv6 address represented by a band-pass card, the source port or the destination port can be an accurate numerical value, any port number or a partially-specified range port number, the transport layer protocol supports TCP or UDP, the flow label can be an accurate numerical value, any value or a specified range, and the source IPv6 address and the destination IPv6 address are determined according to the actual configuration situation of network data encryption.
The quintuple encryption strategy provided by the implementation can realize one-to-one, one-to-many and many-to-many encryption processing of the network data frame by the encryption equipment, encrypt the specified network data frame in the network and is convenient for unified management; the quintuple encryption strategy provided by the embodiment can be used in any network environment, uses a TCP/UDP protocol, and does not depend on any other service.
Further, the first preset rule of this embodiment further includes that after the encryption identifier is set as the first identifier, it is determined whether the flow label of the first network data frame matches the preset flow label list of the encryption device, if a first flow label matching the flow label of the first network data frame exists in the preset flow label list of the encryption device, the encryption identifier is kept set as the first identifier, and if a first flow label matching the flow label of the first network data frame does not exist in the preset flow label list of the encryption device, the encryption identifier is modified and set as the second identifier. The encryption device is pre-configured with a preset flow label list, the preset flow label list includes flow labels corresponding to all network data frames needing to be encrypted in the network, and each flow label is marked as a first flow label. The encryption equipment obtains an encryption identifier as a first identifier through a quintuple of a first network data frame, then judges whether a first flow label matched with the flow label of the first network data frame exists in a preset flow label list of the encryption equipment or not, if so, the encryption identifier is kept to be set as the first identifier, then encryption processing is carried out on a first payload, if not, the encryption identifier is modified to be set as a second identifier, and then first preset processing is carried out on the first network data frame only according to a first configuration parameter.
The quintuple combined with the encryption strategy of the flow label realizes one-to-one, one-to-many and many-to-many encryption processing of network data frames by the encryption equipment, and because a preset flow label list configured in advance on the encryption equipment and a quintuple list configured in advance are configured together, the flow label of each network data frame is different, so that different encryption processing of different network data frames is realized, and the network information security is improved.
And 2.2, if the encrypted identifier is the first identifier, encrypting the first payload to obtain ciphertext data.
Specifically, when the encryption flag is the first flag, that is, the quintuple and the flow label of the first network data frame both have the first quintuple and the first flow label matching with those on the encryption device, the encryption device encrypts the first payload, specifically, in this embodiment, first obtains a first quintuple in a preset quintuple list of the encryption device, where the first quintuple matches the quintuple of the first network data frame, obtains a first flow label in a preset flow label list of the encryption device, where the first flow label matches the flow label of the first network data frame, then, an encryption mode is obtained according to the first five-tuple and the first flow label, an encryption key is obtained according to the first five-tuple and the first flow label, and finally, the first payload is encrypted according to the encryption mode and the encryption key to obtain ciphertext data:
each first quintuple in the preset quintuple list of the encryption device and each first flow label in the preset flow label list of the encryption device correspond to an encryption mode and a group of encryption keys together, the encryption modes correspondingly set for each first quintuple and each first flow label may be the same or different, and the encryption keys may be the same or different. When the encryption identifier is the first identifier, that is, there is a first quintuple matching with the quintuple of the first network data frame, and there is a first flow label matching with the flow label of the first network data frame at the same time, the encryption mode and the encryption key configured correspondingly are found according to the first quintuple and the first flow label, and the first payload in the first network data frame, that is, the network data to be encrypted is encrypted to obtain the ciphertext data. The encryption mode can adopt an encryption method such as sm4, zuc, aes, des and the like. When the encryption mode corresponding to the first quintuple and the first flow label is forced transparent transmission, the first network data frame can be directly transmitted without setting an encryption key; and when the encryption mode corresponding to the first quintuple and the first flow label is non-forced transparent transmission, encrypting the first payload of the first network data frame by combining with the encryption key configured correspondingly under the encryption mode.
The encryption device of the present embodiment supports one-to-one, one-to-many, and many-to-many encryption processing of network data frames. For example, in the process of encrypting many-to-many network data frames, a plurality of first network devices simultaneously transmit the network data frames, and when the encryption device receives a plurality of network data frames, the state of an encryption identifier is sequentially judged on the encryption device, and if a plurality of first identifiers simultaneously exist in the encryption identifier, the encryption device processes the network data frames according to a first identifier with the highest priority, the priority of the first identifier is preset in the encryption device, and the priority of a specific first identifier is related to a first quintuple in a quintuple list preset on the encryption device. And for the matched network data frame, encrypting the first payload of the matched network data frame according to the encryption mode and the encryption key corresponding to the first quintuple and the first flow label.
In this embodiment, the encryption device has a plurality of first quintuple, and the first quintuple supports wildcards, which may cause a first network data frame to be simultaneously matched with the plurality of first quintuple, and each first quintuple corresponds to an encryption method and an encryption key, that is, when the first quintuple is simultaneously matched with the plurality of first quintuple, the first payload of the first network data frame is encrypted according to the encryption method and the encryption key corresponding to the first quintuple with the highest priority.
The five-tuple combined with the encryption strategy of the flow label realizes the group management of the encryption keys of the network equipment, realizes the one-to-one, one-to-many and many-to-many encryption of the network equipment in the network, can realize the group encryption of all network data in the network, is convenient for unified management, has different flow labels of each network data frame, carries out different encryption processing on different network data frames, and further improves the network information security.
And 2.3, if the encrypted identifier is the second identifier, performing first preset processing on the first network data frame according to the first configuration parameter.
Specifically, in this embodiment, a quintuple and a flow label are used as an encryption policy, and for a first network data frame that does not match with all first quintuples in a preset quintuple list of an encryption device, a first preset process is performed according to actual design requirements, where the first preset process includes transparent transmission, discarding or other processes, and at this time, the first preset process is preferably transparent transmission. According to actual design requirements, the first configuration parameters can be configured on the encryption equipment in advance to serve as judgment bases.
In the encryption processing of the many-to-many network data frames, when a plurality of first network devices are connected to the encryption device, the encryption device processes the received first network data frames in sequence according to the receiving sequence. Except for the IP fragmentation, each received network data frame of the encryption device should be an independent network data frame, and the encryption device should process the independent network data frame separately. And (4) corresponding to the network data frame of the IP fragment, the data packet of the fragment needs to be restored into the network data frame and then encrypted.
Further, in step 3 of this embodiment, the encryption device sends a second network data frame, where the second network data frame includes the ciphertext data.
Specifically, the encryption device in this embodiment encapsulates the ciphertext data and the frame header information of the first network data frame again to form a second network data frame, and sends the second network data frame to the subsequent network device through the network port B, as shown in fig. 2, the frame header information of the first network data frame includes an ethernet ii header of table 1, an IPv6 header of table 2, a TCP header of table 3, or a UDP header of table 4. The second network data frame has the same structure as the first network data frame, and the specific contents in the frame are different, so that the embodiment does not modify the frame header content of the network data frame after encryption, only encrypts the first payload, does not change the structure of the network data frame, and does not affect the network performance.
Further, when the encryption device executes the IPv6 data encryption method, step 4 is further included to determine whether the encryption device configures or starts the first MAC management.
Specifically, the encryption device further supports a first MAC management function, where the first MAC management function includes a first MAC list and a second MAC list, and specifically, the first MAC list is a MAC blacklist list, the second MAC list is a MAC whitelist list, and MAC addresses corresponding to all communication network devices in the network are respectively preconfigured in the MAC blacklist and the MAC whitelist of the encryption device. When the MAC blacklist list is opened, the network data frames of all source MAC addresses are allowed to be received by default, the source MAC addresses in the MAC blacklist list are not allowed to be received, the network data frames of some source MAC addresses are forbidden to be received in the opening mode of the MAC blacklist list, and the network data frames of the source MAC addresses which are forbidden to be received are directly filled in the blacklist list; similarly, when the MAC white list is turned on, the network data frames of all the source MAC addresses are prohibited from being received by default, the source MAC addresses in the MAC white list are allowed to be received, and in the turning on mode of the MAC white list, the network data frames of some source MAC addresses are allowed to be received, and the source MAC addresses of the network data frames to be allowed are directly filled in the MAC white list. Step 4 of this embodiment specifically includes step 4.1 and step 4.2:
and 4.1, not configuring or starting the first MAC management on the encryption equipment.
Specifically, in this embodiment, by default, network data frames of all source MAC addresses in the network are allowed to be received, and the encryption device performs IPv6 data encryption processing on the received first network data frame according to the above steps 1, 2, and 3.
And 4.2, configuring and starting first MAC management on the encryption equipment, and processing the first network data frame according to a second preset rule.
Specifically, the embodiment configures and opens the first MAC management, which needs to determine whether the first MAC list or the second MAC list is opened, where the first preset rule includes a first preset sub-rule and a second preset sub-rule, and specifically, the step 4.2 includes the steps 4.2.1 and 4.2.2:
and 4.2.1, if the first MAC list is started, processing the first network data frame according to a first preset sub-rule.
Specifically, the first preset sub-rule in this embodiment is specifically that whether the first network data frame is matched with the first MAC list is determined, specifically, if any one of the source MAC address of the first network data frame is matched with the MAC address in the first MAC list, the first network data frame is subjected to first preset processing according to the first configuration parameter, at this time, the first preset processing is preferably discarded, and if the source MAC address of the first network data frame is not matched with the MAC address in the first MAC list, the encryption device performs IPv6 data encryption processing on the first network data frame according to the above steps 1, 2, and 3.
And 4.2.2, if the second MAC list is started, processing the first network data frame according to a second preset sub-rule.
Specifically, the second preset sub-rule in this embodiment is specifically to determine whether the first network data frame is matched with the second MAC list, specifically, if the source MAC address of the first network data frame is matched with at least one MAC address in the second MAC list, the encryption device performs IPv6 data encryption on the first network data frame according to the above steps 1, 2, and 3, and if the source MAC address of the first network data frame is not matched with the MAC address in the second MAC list, performs the first preset process on the first network data frame according to the first configuration parameter, where the first preset process is preferably discarded.
In the embodiment, the MAC black/white list function is configured on the encryption equipment, so that illegal equipment can be prevented from accessing the encryption equipment, and the security of network data transmission is improved.
In summary, in this embodiment, by combining the quintuple with the encryption policy of the flow label and the MAC black/white list function, one-to-one, one-to-many, and many-to-many encryption of network data frames can be implemented, all network data in the network is encrypted in a packet, and an illegal device can be effectively prevented from accessing the encryption and decryption device, so that unified management is facilitated.
Example two
On the basis of the first embodiment, please refer to fig. 3, and fig. 3 is a flowchart illustrating an IPv6 data decryption method according to an embodiment of the present invention. The embodiment provides an IPv6 data decryption method, which is applied to a decryption device and a second network device that are connected to each other, where the decryption device executes the IPv6 data decryption method, and includes the following steps:
step 1, receiving a third network data frame;
step 2, acquiring a second payload from the third network data frame, acquiring a decryption identifier according to a third preset rule, judging the state of the decryption identifier, decrypting the second payload to obtain plaintext data if the decryption identifier is a third identifier, and performing second preset processing on the third network data frame according to a second configuration parameter if the decryption identifier is a fourth identifier;
and 3, sending a fourth network data frame to the second network equipment, wherein the fourth network data frame comprises plaintext data.
Specifically, please refer to fig. 4, where fig. 4 is a schematic diagram of a connection relationship between a decryption device and a second network device in an IPv6 data decryption method according to an embodiment of the present invention. The decryption device in this embodiment receives a third network data frame sent by a preceding-stage network device, obtains a second payload from the third network data frame, then obtains a decryption identifier for decrypting or not decrypting the second payload according to a third preset rule, decrypts the second payload under the third identifier to obtain plaintext data, decrypts the second payload, specifically repackages a frame header of the third network data frame and the second payload in the third network data frame to form a fourth network data frame, where the fourth network data frame includes plaintext data, performs second preset processing on the third network data frame according to a second configuration parameter under the fourth identifier, the second configuration parameter is configured on the decryption device according to actual network requirements, and the decryption device sends the fourth network data frame to the second network device. The second preset processing comprises transparent transmission, discarding or other processing, the second preset processing is preferably transparent transmission, and the transparent transmission is selected to realize plaintext communication with any network without affecting access to public network data.
The embodiment selects to decrypt the second payload, does not change the frame header structure of the network data frame, does not affect the network performance, has a completely consistent structure between the decrypted network data frame and the network data frame before decryption, cannot distinguish whether the decrypted network data frame or the network data frame before decryption from the outside, is not easy to be attacked, and has stronger network security.
Further, in step 1 of this embodiment, the decryption device receives the third network data frame.
Specifically, please refer to fig. 5, where fig. 5 is a schematic diagram of a connection relationship between network devices in an IPv6 data encryption method and a data decryption method according to an embodiment of the present invention. In this embodiment, the previous-stage network device in fig. 4 includes the first network device and the encryption device that are connected in one embodiment, at this time, the third network data frame received by the decryption device is the second network data frame sent by the encryption device, and the second network data frame includes ciphertext data, that is, the third network data frame includes encrypted ciphertext data. The third network data frame has the same structure as the second network data frame and the first network data frame, and the specific content of the part in the frame is different, specifically, the structure of the third network data frame is as shown in table 5 in embodiment one.
Further, in step 2 of this embodiment, a second payload is obtained from the third network data frame, a decryption identifier is obtained according to a third preset rule, and the second payload is processed according to the state of the decryption identifier.
Specifically, in this embodiment, the whole third network data frame is not decrypted, but a second payload of the third network data frame is obtained, a decryption identifier of whether the decryption process is performed on the second payload is obtained according to a third preset rule, and the second payload is processed through the decryption identifier, where the specific step 2 includes step 2.1, step 2.2, and step 2.3:
and 2.1, obtaining a decryption identifier according to a third preset rule.
Specifically, the third preset rule of this embodiment includes determining whether a quintuple of the third network data frame matches a preset quintuple list of the decryption device, setting the decryption identifier as the third identifier if a second quintuple matching the quintuple of the third network data frame exists in the preset quintuple list of the decryption device, and setting the decryption identifier as the fourth identifier if the second quintuple matching the quintuple of the third network data frame does not exist in the preset quintuple list of the decryption device. The decryption device is pre-configured with a preset quintuple list, the preset quintuple list comprises all quintuples corresponding to network data frames needing to be decrypted in the network, and each quintuple is marked as a second quintuple. And after receiving the third network data frame, the decryption device judges whether a second quintuple matched with the quintuple of the third network data frame exists in a preset quintuple list of the decryption device, if so, sets the decryption identifier as the third identifier, and if not, sets the decryption identifier as the fourth identifier. In this embodiment, each of the quintuple of the third network data frame and each of the second quintuple in the preset quintuple list of the decryption device includes a source IPv6 address, a source port, a destination IPv6 address, a destination port, and a transport layer protocol. The source IPv6 address and the destination IPv6 address in each second quintuple in the preset quintuple list of the decryption device both support IPv6 address wildcards, the IPv6 address can be any accurate IPv6 address and any IPv6 address represented by a band-pass card, the source port or the destination port can be an accurate numerical value, any port number or a partially-specified range port number, the transport layer protocol supports TCP or UDP, the flow label can be an accurate numerical value, any value or a specified range, and the source IPv6 address and the destination IPv6 address are determined according to the actual configuration situation of network data decryption.
The five-tuple decryption strategy provided by the implementation can realize one-to-one, one-to-many and many-to-many decryption processing of the network data frame by the decryption equipment, decrypt the specified network data frame in the network and is convenient for unified management; the quintuple decryption strategy provided by the embodiment can be used in any network environment, uses a TCP/UDP protocol, and does not depend on any other service.
Further, the third preset rule in this embodiment further includes that after the decryption identifier is set as the third identifier, it is determined whether the flow label of the third network data frame matches the preset flow label list of the decryption device, if a second flow label matching the flow label of the third network data frame exists in the preset flow label list of the decryption device, the decryption identifier is kept set as the third identifier, and if a second flow label matching the flow label of the third network data frame does not exist in the preset flow label list of the decryption device, the decryption identifier is modified and set as the fourth identifier. A preset flow label list is pre-configured on the decryption device, the preset flow label list includes flow labels corresponding to all network data frames needing to be decrypted in the network, and each flow label is marked as a second flow label. And after the decryption device obtains a decryption identifier as a third identifier through a quintuple of the third network data frame, judging whether a second flow label matched with the flow label of the third network data frame exists in a preset flow label list of the decryption device, if so, keeping the decryption identifier as the third identifier, subsequently decrypting the second payload, if not, modifying the decryption identifier as the fourth identifier, and subsequently, only needing to perform second preset processing on the third network data frame according to a second configuration parameter.
The quintuple provided by the embodiment combines with the decryption strategy of the flow label to realize one-to-one, one-to-many and many-to-many decryption processing of the decryption device on the network data frame, and because the preset flow label list configured in advance on the decryption device is configured together with the quintuple list configured in advance, the flow label of each network data frame is different, so that different decryption processing is carried out on different network data frames, and the network information security is improved.
And 2.2, if the decryption identifier is the third identifier, decrypting the second payload to obtain plaintext data.
Specifically, in this embodiment, when the decryption identifier is the third identifier, the decryption device decrypts the second payload, specifically, in this embodiment, first, a second quintuple in a preset quintuple list of the decryption device, which is matched with the quintuple of the third network data frame, is obtained, a second flow label in a preset flow label list of the decryption device, which is matched with the flow label of the third network data frame, is obtained, then, a decryption mode is obtained according to the second quintuple and the second flow label, a decryption key is obtained according to the second quintuple and the second flow label, and finally, the second payload is decrypted according to the decryption mode and the decryption key, so as to obtain plaintext data:
when the decryption device of this embodiment decrypts by using the quintuple policy, each second quintuple in the preset quintuple list of the decryption device corresponds to one decryption mode and one group of decryption keys, and the decryption identifier is a third identifier at this time, that is, there is a matching between the second quintuple and the quintuple of the third network data frame, the decryption mode and the decryption key configured correspondingly are found according to the second quintuple, and the second payload in the third network data frame, that is, the network data to be decrypted is decrypted by using the decryption mode and the decryption key to obtain plaintext data; when the decryption device decrypts by adopting a strategy of combining the quintuple with the flow label, each second quintuple in the preset quintuple list of the decryption device and each second flow label in the preset flow label list of the decryption device correspond to a decryption mode and a group of decryption keys together, the correspondingly set decryption modes can be the same or different, and the decryption keys can be the same or different. And when the decryption identifier is a third identifier, namely a second quintuple is matched with the quintuple of the third network data frame and a second flow label is matched with the flow label of the third network data frame, finding a decryption mode and a decryption key which are correspondingly configured according to the second quintuple and the second flow label, and decrypting a second payload in the third network data frame through the decryption mode and the decryption key, namely decrypting the network data which needs to be decrypted to obtain plaintext data. The decryption mode can adopt decryption methods such as sm4, zuc, aes, des and the like. When the decryption mode corresponding to the second quintuple and the second flow label is forced transparent transmission, the third network data frame can be directly transmitted without setting a decryption key; and when the decryption mode corresponding to the second quintuple and the second flow label is the non-forced transparent transmission mode, the second payload of the third network data frame is decrypted by combining the decryption key configured correspondingly with the second quintuple and the second flow label in the decryption mode.
The decryption device of the present embodiment supports one-to-one, one-to-many, and many-to-many decryption processes of network data frames. For example, in the decryption process of many-to-many network data frames, multiple preceding-stage network devices simultaneously transmit network data frames, the decryption device receives multiple network data frames, and then sequentially determines the states of decryption identifiers on the decryption device, if multiple third identifiers simultaneously exist in the decryption identifiers, the decryption identifiers are processed according to a third identifier with the highest priority, the priority of the third identifier is preset in the decryption device, and the priority of the third identifier is specifically related to a second quintuple in a quintuple list preset in the decryption device. And for the matched network data frame, decrypting the second payload of the matched network data frame according to the decryption mode and the decryption key corresponding to the second quintuple and the second flow label.
In this embodiment, the decryption device includes a plurality of second quintuples, and the second quintuples support wildcards, which may cause a third network data frame to be simultaneously matched with the plurality of second quintuples, and each second quintuple corresponds to a decryption method and a decryption key, that is, when the decryption device is simultaneously matched with the plurality of second quintuples, the second payload of the third network data frame is decrypted according to the decryption method and the decryption key corresponding to the second quintuple with the highest priority.
The five-tuple combined with the decryption strategy of the flow label realizes the decryption key grouping management of the network equipment, realizes the one-to-one, one-to-many and many-to-many decryption of the network data of the network equipment in the network, can realize the grouping decryption of all the network data in the network, is convenient for unified management, has different flow labels of each network data frame, carries out different decryption processing on different network data frames, and improves the network information security.
And 2.3, if the decrypted identifier is a fourth identifier, performing second preset processing on the third network data frame according to a second configuration parameter.
Specifically, in this embodiment, the quintuple and the flow label are used as a decryption policy, and for a third network data frame that does not match with all second quintuples in the preset quintuple list of the decryption device, second preset processing is performed according to actual design requirements, where the second preset processing includes transparent transmission, discarding or other processing, and at this time, the second preset processing is preferably transparent transmission. According to the actual design requirement, the second configuration parameter can be configured on the decryption device in advance to be used as a judgment basis.
In the decryption process of the many-to-many network data frames, when a plurality of third network devices are connected to the decryption device, the decryption device processes the received third network data frames in sequence according to the receiving sequence. Except for the IP fragment, the network data frame received by the decryption device each time should be an independent network data frame, and the decryption device should process the independent network data frame separately. And corresponding to the network data frame of the IP fragment, the data packet of the fragment needs to be decrypted after being restored into the network data frame.
Further, in this embodiment, in step 3, the decryption device sends a fourth network data frame to the second network device, where the fourth network data frame includes plaintext data.
Specifically, the decryption device in this embodiment encapsulates the plaintext data and the header information of the third network data frame again to form a fourth network data frame, and sends the fourth network data frame to the second network device through the port B, as shown in fig. 4 or 5, the header information of the third network data frame includes the ethernet ii header of table 1, the IPv6 header of table 2, the TCP header of table 3, or the UDP header of table 4. The fourth network data frame has the same structure as the third network data frame, the second network data frame and the first network data frame, and the specific contents of the parts in the frame are different. It can be seen that, in this embodiment, the frame header content of the network data frame is not modified after decryption, only the second payload is decrypted, the structure of the network data frame is not changed, the network performance is not affected, the structure of the decrypted network data frame is completely consistent with that of the network data frame before decryption, and it is not possible to distinguish between the decrypted network data frame and the network data frame before decryption outside, which is not easy to be attacked, and the network security is strong.
Further, when the decryption device executes the IPv6 data decryption method, step 4 is further included to determine whether the decryption device configures or activates the second MAC management.
Specifically, the decryption device further supports a second MAC management function, where the second MAC management function includes a third MAC list and a fourth MAC list, specifically, the third MAC list is a MAC blacklist list, the fourth MAC list is a MAC whitelist list, and MAC addresses corresponding to all communication network devices in the network are respectively preconfigured in the MAC blacklist and the MAC whitelist of the decryption device. In the same embodiment one, when the MAC blacklist is opened, the network data frames of all source MAC addresses are allowed to be received by default, and the source MAC addresses in the MAC blacklist are not allowed to be received, and in the opening mode of the MAC blacklist, the network data frames of the source MAC addresses which are to be prevented from being received are required to be prohibited from being received, and the network data frames of the source MAC addresses which are to be prohibited from being received are directly filled in the blacklist; similarly, when the MAC white list is turned on, the network data frames of all the source MAC addresses are prohibited from being received by default, the source MAC addresses in the MAC white list are allowed to be received, and in the turning on mode of the MAC white list, the network data frames of some source MAC addresses are allowed to be received, and the source MAC addresses of the network data frames to be allowed are directly filled in the MAC white list. Step 4 of this embodiment specifically includes step 4.1 and step 4.2:
and 4.1, the second MAC management is not configured or started on the decryption equipment.
Specifically, in this embodiment, by default, network data frames of all source MAC addresses in the network are allowed to be received, and the decryption device performs IPv6 data decryption processing on the received third network data frame according to step 1, step 2, and step 3 in this embodiment.
And 4.2, if the second MAC management is configured and started on the decryption device, processing the third network data frame according to a fourth preset rule.
Specifically, if the second MAC management is configured and started in this embodiment, it is necessary to determine whether the third MAC list or the fourth MAC list is started, and the fourth preset rule includes a third preset sub-rule and a fourth preset sub-rule, and specifically, the step 4.2 includes the steps 4.2.1 and 4.2.2:
and 4.2.1, if the third MAC list is started, processing the third network data frame according to a third preset sub-rule.
Specifically, the third preset sub-rule in this embodiment is specifically that whether the third network data frame is matched with the third MAC list is determined, specifically, if any one of the source MAC address of the third network data frame is matched with the MAC address in the third MAC list, the third network data frame is subjected to second preset processing according to the second configuration parameter, at this time, the second preset processing is preferably discarded, and if the source MAC address of the third network data frame is not matched with the MAC address in the third MAC list, the decryption device performs IPv6 data decryption processing on the third network data frame according to steps 1, 2, and 3 in this embodiment.
And 4.2.2, if the fourth MAC list is started, processing the third network data frame according to a fourth preset sub-rule.
Specifically, the fourth preset sub-rule in this embodiment is specifically to determine whether the third network data frame is matched with the fourth MAC list, specifically, if the source MAC address of the third network data frame is matched with at least one MAC address in the fourth MAC list, the decryption device performs IPv6 data decryption on the third network data frame according to steps 1, 2, and 3 of this embodiment, if the source MAC address of the third network data frame is not matched with the MAC address in the fourth MAC list, performs the second preset process on the third network data frame according to the second configuration parameter, and at this time, the second preset process is preferably discarded.
In the embodiment, the MAC black/white list function is configured on the decryption device, so that illegal devices can be prevented from accessing the decryption device, and the security of network data transmission is improved.
In summary, in this embodiment, by combining the quintuple with the decryption policy of the flow label, one-to-one, one-to-many, and many-to-many network data frames of the network device can be decrypted, all network data in the network is decrypted in a packet, and an illegal device can be effectively prevented from accessing the encryption and decryption device, so that unified management is facilitated.
EXAMPLE III
Based on the first and second embodiments, in order to describe the implementation of the IPv6 data encryption method of the first embodiment and the IPv6 decryption method of the second embodiment, the following examples are used to describe:
the encryption device and the decryption device in this embodiment should be used in combination. Since the first network device may be a plurality of network devices connected to the encryption device through the switch, the second network device may also be a plurality of network devices connected to the decryption device through the switch. The encryption device or the decryption device is used for realizing one-to-one, one-to-many and many-to-many encryption processing or decryption processing on the network data frames, wherein one-to-one is that one encryption device corresponds to one decryption device, one-to-many is that one encryption device corresponds to a plurality of decryption devices, and many-to-many is that a plurality of encryption devices correspond to a plurality of decryption devices.
Referring to fig. 5 again, the network of this embodiment includes a first network device, an encryption device, a decryption device, and a second network device that are connected in sequence, and the network implements one-to-one network data encryption and decryption processes. Specifically, the first network device sends a first network data frame to the encryption device, the quintuple of the first network data frame is FE80:: C0a8:01C8, 1F40, FE80:: C0a8:0164, 1F40, TCP, the flow label value of the first network data frame is F9000, the pre-set source IPv6 address, source port, destination IPv6 address, destination port number, transport layer protocol, encryption algorithm, encryption key on the encryption device are FE80:: C0a8:01C8, 1F40, FE80:: C0a8:0164, 1F40, TCP, des, key123456, the first quintuple is FE80:: C0a8:01C8, 1F40, FE80:: C0a8:0164, 40, the encryption key 1239, the encryption key in the first quintuple is a flow label value list of the encryption device, and the encryption policy of the encryption tag in the encryption device is received in the encryption process of the flow label matching the first network data frame, and the encryption policy of the quintuple is determined in the pre-set encryption device, meanwhile, judging that the flow label of the first network data frame is matched with a first flow label in a preset flow label list of the encryption equipment, encrypting a first payload needing to be encrypted in the first network data frame sent by the first network equipment according to an encryption mode des and an encryption key123456 which are preset by the encryption equipment to obtain ciphertext data, repackaging the ciphertext data and frame header information of the first network data frame to form a second network data frame, and sending the second network data frame to the decryption equipment; a decryption process, wherein the decryption device receives a second network data frame (a third network data frame in the second embodiment), the quintuple of the second network data frame is FE80:: C0a8:01C8, 1F40, FE80:: C0a8:0164, 1F40, TCP, the source IPv6 address, the source port, the destination IPv6 address, the destination port number, the transport layer protocol, the encryption algorithm, and the encryption key which are preset on the decryption device are FE80:: C0a8:01C8, 1F40, FE80:: C0a8:0164, 1F40, TCP, des, and 123456, the second quintuple is FE80:: C0a8:01C8, 1F40, FE80:: C0a8:0164, 1F40, the decryption device judges that the decryption tag of the decryption device matches the decryption tag of the decryption tag in the decryption device, and the decryption tag of the decryption tag in the decryption device, the decryption tag of the second quintuple is matched with the decryption tag of the decryption device, and meanwhile, judging that the flow label of the second network data frame is matched with a second flow label in a preset flow label list of the decryption device, decrypting the second network data frame according to a decryption mode des and a decryption key123456 which are preset by the decryption device to obtain plaintext data, repackaging the plaintext data and frame header information of the second network data frame to form a fourth network data frame, and sending the fourth network data frame to the second network device to complete transmission of the ciphertext data between the first network device and the second network device. The whole encryption process and the whole decryption process of the embodiment ensure that the structures of the network data frames are completely consistent, so that the network security is stronger.
In this embodiment, the encryption device and the decryption device may be independent devices, as shown in fig. 5, the network data frame received by the encryption device is encrypted by the encryption device according to the IPv6 data encryption method described in the first embodiment, and the network data frame received by the decryption device is decrypted by the decryption device according to the IPv6 data decryption method described in the second embodiment. And the IP headers in the encryption process and the decryption process of the packet data in the whole network are unchanged, namely the IP headers in the first network data frame, the second network data frame, the third network data frame and the fourth network data frame are unchanged, wherein the IP headers comprise IPv6 flow labels.
The encryption device and the decryption device in this embodiment may also be the same device, and are denoted as encryption and decryption devices, where the encryption and decryption devices may perform encryption processing or decryption processing, specifically, the encryption or decryption processing on a network data frame in transmission is determined according to configuration parameters on the encryption and decryption devices, when the configuration parameters determine that the encryption processing needs to be performed on the encryption and decryption devices, the network data frame received by the encryption and decryption devices is encrypted according to the IPv6 data encryption method described in the first embodiment, and when the configuration parameters determine that the decryption processing needs to be performed on the encryption and decryption devices, the network data frame received by the encryption and decryption devices is decrypted according to the IPv6 data decryption method described in the second embodiment, and an IP header 3535is unchanged in an encryption process and a decryption process of packet data in the entire network. Referring to fig. 6, fig. 6 is a schematic diagram of a connection relationship between network devices in another IPv6 data encryption method and data decryption method according to an embodiment of the present invention, where a network in this embodiment includes a first network device, a first encryption/decryption device, a second encryption/decryption network device, and a second network device that are connected in sequence, and what is implemented in the network is a one-to-one network data encryption and decryption process, specifically, as shown in fig. 6, if bidirectional data in the network needs to be encrypted: when the first network equipment FE80: C0A8:01C8 is sent to the second network equipment FE80: C0A8:0164 network data frame, the network data frame is encrypted when passing through the first encryption and decryption equipment, and is decrypted when passing through the second encryption and decryption equipment; when the first network device FE80:: C0A8:0164 sends the second network device FE80:: C0A8:01C8 network data frame, the network data frame is encrypted when passing through the second encryption and decryption device, and the network data frame is decrypted when passing through the first encryption and decryption device. In this embodiment, the first network device serves as a sending end, and the second network device serves as a receiving end, and encryption and decryption of network data between the first network device and the second network device are achieved under different IPs. The quintuple policy in the first encryption and decryption device and the quintuple policy in the second encryption and decryption device may be set in only one direction, the first encryption and decryption device and the second encryption and decryption device may automatically generate the quintuple policy in the opposite direction according to the set quintuple policy in the one direction, or may set the quintuple policy in both directions, and the quintuple policy in the specific one direction is detailed in the implementation of the quintuple policy in fig. 5.
It should be noted that, the encryption device and the decryption device are set independently, or the encryption device and the decryption device are set as the same device, which is determined by the specific network environment; the IPv6 address in the five-tuple encryption and decryption policy pre-configured on the encryption device and the decryption device may be any accurate IPv6 address (e.g., "FE 80:: C0A8:01C 8", "FE 80:: C0A8: 0164", etc.), or may also be any IPv6 address represented by a band-pass operator (e.g., "FE 80:: C0 A8:", or "FE 80:: C0::", or "FE 80:::::", or ". the. the.," etc.), and the IPv6 address identifies that all hosts in the network segment can perform IPv6 data encryption and decryption processing; the source port number and the destination port number in the five-tuple encryption and decryption policies pre-configured on the encryption device and the decryption device may be precise numbers (such as 1F40), or may be any port number or a partially specified range port number (such as "×", or "1F 4? "refers to a single decimal digit; the transport layer protocol in the quintuple encryption and decryption strategies pre-configured on the encryption equipment and the decryption equipment supports TCP or UDP; the stream tag preconfigured on the encryption device and decryption device may be an exact value (e.g., 26AC), or may be an arbitrary value or a specified range ("," 26A.
Fig. 5 and fig. 6 are only described as an embodiment, and the connection of each device in the encryption process or the decryption process is based on the actual network design requirement, and only the IPv6 data encryption method described in the first embodiment needs to be executed on the encryption device, and the IPv6 data decryption method described in the second embodiment needs to be executed on the decryption device.
The present embodiment may implement the above-mentioned IPv6 data encryption method embodiment and the above-mentioned IPv6 data decryption method embodiment, and the implementation principle and technical effect are similar, and are not described herein again.
Example four
Based on the third embodiment, it can be seen that the encryption device and the decryption device do not need IP addresses, and all the encryption device and the decryption device do not need to configure IPv6 addresses and MAC addresses, that is, the encryption device and the decryption device may be devices without IP addresses, and can implement encryption or decryption processing of network data frames in a locally managed network, and at this time, all the network data frames can be received by setting network cards of the encryption device and the decryption device to be in a promiscuous mode.
When the embodiment implements remote management on the encryption device and the decryption device, the embodiment can implement remote management on the encryption device and the decryption device by borrowing the IPv6 address and the MAC address of the downlink device respectively connected thereto to communicate with the management server, thereby implementing encryption or decryption processing of a network data frame in a remote network.
The encryption device of this embodiment may execute the above-mentioned IPv6 data encryption method embodiment, and the decryption device may execute the above-mentioned IPv6 data decryption method embodiment, which have similar implementation principles and technical effects, and are not described herein again.
The foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.

Claims (4)

1. An IPv6 data encryption method, applied to a first network device and an encryption device connected to each other, wherein the encryption device executes the IPv6 data encryption method and comprises the following steps:
receiving a first network data frame, the first network data frame being transmitted by the first network device;
acquiring a first payload from the first network data frame, acquiring an encryption identifier according to a first preset rule, judging the state of the encryption identifier, if the encryption identifier is a first identifier, encrypting the first payload to obtain ciphertext data, and if the encryption identifier is a second identifier, performing first preset processing on the first network data frame according to a first configuration parameter;
transmitting a second network data frame, the second network data frame including the ciphertext data;
the obtaining of the encrypted identifier according to the first preset rule includes:
judging whether the quintuple of the first network data frame is matched with a preset quintuple list of the encryption device, if a first quintuple matched with the quintuple of the first network data frame exists in the preset quintuple list of the encryption device, setting the encryption identifier as the first identifier, and if the first quintuple matched with the quintuple of the first network data frame does not exist in the preset quintuple list of the encryption device, setting the encryption identifier as the second identifier;
after the encrypted identifier is set as the first identifier, the method further comprises the following steps:
judging whether the flow label of the first network data frame is matched with a preset flow label list of the encryption device, if a first flow label matched with the flow label of the first network data frame exists in the preset flow label list of the encryption device, keeping the encryption identifier set as the first identifier, and if the first flow label matched with the flow label of the first network data frame does not exist in the preset flow label list of the encryption device, modifying the encryption identifier set as the second identifier;
the encrypting the first payload to obtain ciphertext data includes:
acquiring a first quintuple matched with the quintuple of the first network data frame in a preset quintuple list of the encryption equipment;
acquiring a first flow label matched with the flow label of the first network data frame in a preset flow label list of the encryption equipment;
obtaining an encryption mode according to the first quintuple and the first flow label;
obtaining an encryption key according to the first quintuple and the first flow label;
encrypting the first payload according to the encryption mode and the encryption key to obtain ciphertext data;
each first flow label in the preset flow label list corresponds to an encryption mode and a group of encryption keys.
2. The IPv6 data encryption method according to claim 1, further comprising determining whether a first MAC management is configured or enabled, and if the first MAC management is not configured or enabled, performing the IPv6 data encryption method according to claim 1, and if the first MAC management is configured and enabled, processing the first network data frame according to a second preset rule.
3. An IPv6 data decryption method is applied to a decryption device and a second network device which are connected with each other, wherein the decryption device executes the IPv6 data decryption method and comprises the following steps:
receiving a third network data frame;
acquiring a second payload from the third network data frame, acquiring a decryption identifier according to a third preset rule, judging the state of the decryption identifier, decrypting the second payload to obtain plaintext data if the decryption identifier is a third identifier, and performing second preset processing on the third network data frame according to a second configuration parameter if the decryption identifier is a fourth identifier;
sending a fourth network data frame to the second network device, the fourth network data frame including the plaintext data;
the determining the decryption identifier of the second payload according to a third preset rule includes:
judging whether the quintuple of the third network data frame is matched with a preset quintuple list of the decryption device, if a second quintuple matched with the quintuple of the third network data frame exists in the preset quintuple list of the decryption device, setting the decryption identifier as the third identifier, and if the second quintuple matched with the quintuple of the third network data frame does not exist in the preset quintuple list of the decryption device, setting the decryption identifier as the fourth identifier;
after the decryption identifier is set to the third identifier, the method further includes:
judging whether the flow label of the third network data frame is matched with a preset flow label list of the decryption device, if a second flow label matched with the flow label of the third network data frame exists in the preset flow label list of the decryption device, keeping the decryption identifier set as the third identifier, and if a second flow label matched with the flow label of the third network data frame does not exist in the preset flow label list of the decryption device, modifying the decryption identifier set as the fourth identifier;
the decrypting the second payload to obtain plaintext data includes:
acquiring a second quintuple matched with the quintuple of the third network data frame in a preset quintuple list of the decryption device;
acquiring a second flow label matched with the flow label of the third network data frame in a preset flow label list of the decryption device;
obtaining a decryption mode according to the second quintuple and the second flow label;
obtaining a decryption key according to the second quintuple and the second flow label;
decrypting the second payload according to the decryption mode and the decryption key to obtain plaintext data;
each second flow label in the preset flow label list corresponds to a decryption mode and a group of decryption keys.
4. The IPv6 data decryption method of claim 3, further comprising determining whether a second MAC management is configured or enabled, and if the second MAC management is not configured or enabled, performing the IPv6 data decryption method of claim 3, and if the second MAC management is configured and enabled, processing the third network data frame according to a fourth predetermined rule.
CN201910893716.1A 2019-09-20 2019-09-20 IPv6 data encryption method and IPv6 data decryption method Active CN110691074B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910893716.1A CN110691074B (en) 2019-09-20 2019-09-20 IPv6 data encryption method and IPv6 data decryption method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910893716.1A CN110691074B (en) 2019-09-20 2019-09-20 IPv6 data encryption method and IPv6 data decryption method

Publications (2)

Publication Number Publication Date
CN110691074A CN110691074A (en) 2020-01-14
CN110691074B true CN110691074B (en) 2022-04-22

Family

ID=69109646

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910893716.1A Active CN110691074B (en) 2019-09-20 2019-09-20 IPv6 data encryption method and IPv6 data decryption method

Country Status (1)

Country Link
CN (1) CN110691074B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112800045A (en) * 2021-02-23 2021-05-14 青岛海科虚拟现实研究院 Big data-based data information analysis system
CN114301735B (en) * 2021-12-10 2023-05-02 北京天融信网络安全技术有限公司 Method, system, terminal and storage medium for managing and controlling on-demand distribution of IPSEC tunnel data
CN117201005B (en) * 2023-09-08 2024-03-15 国家计算机网络与信息安全管理中心江苏分中心 IPv6 address dynamic coding method based on ZUC encryption and decryption and application method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1777174A (en) * 2004-11-15 2006-05-24 中兴通讯股份有限公司 Internet safety protocol high-speed processing IP burst method
CN102347870A (en) * 2010-07-29 2012-02-08 中国电信股份有限公司 Flow rate security detection method, equipment and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007027958A1 (en) * 2005-08-29 2007-03-08 Junaid Islam ARCHITECTURE FOR MOBILE IPv6 APPLICATIONS OVER IPv4
US9294506B2 (en) * 2010-05-17 2016-03-22 Certes Networks, Inc. Method and apparatus for security encapsulating IP datagrams
CN102882790A (en) * 2012-10-12 2013-01-16 北京锐安科技有限公司 IPv6 (Internet Protocol version 6) real-time dataflow processing method
US8875256B2 (en) * 2012-11-13 2014-10-28 Advanced Micro Devices, Inc. Data flow processing in a network environment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1777174A (en) * 2004-11-15 2006-05-24 中兴通讯股份有限公司 Internet safety protocol high-speed processing IP burst method
CN102347870A (en) * 2010-07-29 2012-02-08 中国电信股份有限公司 Flow rate security detection method, equipment and system

Also Published As

Publication number Publication date
CN110691074A (en) 2020-01-14

Similar Documents

Publication Publication Date Title
US9461975B2 (en) Method and system for traffic engineering in secured networks
US10404588B2 (en) Path maximum transmission unit handling for virtual private networks
US8155130B2 (en) Enforcing the principle of least privilege for large tunnel-less VPNs
US7739497B1 (en) Method and apparatus for anonymous IP datagram exchange using dynamic network address translation
US7043633B1 (en) Method and apparatus for providing adaptive self-synchronized dynamic address translation
US7725707B2 (en) Server, VPN client, VPN system, and software
US9712504B2 (en) Method and apparatus for avoiding double-encryption in site-to-site IPsec VPN connections
US8713305B2 (en) Packet transmission method, apparatus, and network system
US8775790B2 (en) System and method for providing secure network communications
US20060031936A1 (en) Encryption security in a network system
CN110691074B (en) IPv6 data encryption method and IPv6 data decryption method
AU2007261003B2 (en) Method and apparatus for encrypted communications using IPsec keys
US20050220091A1 (en) Secure remote mirroring
CN111787025B (en) Encryption and decryption processing method, device and system and data protection gateway
CN110912859B (en) Method for sending message, method for receiving message and network equipment
US20190124055A1 (en) Ethernet security system and method
CN110768958B (en) IPv4 data encryption method and IPv4 data decryption method
CN210469376U (en) Data encryption and decryption equipment based on ZYNQ7020 and security chip
WO2023124880A1 (en) Packet processing method and device based on macsec network
US20180262473A1 (en) Encrypted data packet
Cisco Configuring IPSec Network Security
GB2607948A (en) Apparatuses, a system, and a method of operating a wireless network
KR101845776B1 (en) MACsec adapter apparatus for Layer2 security
CA2759395A1 (en) Method and apparatus for secure packet transmission
CN110661744A (en) Network access control method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant